Profile

Replicant

Replicant 6.0 for the Samsung Galaxy S3

This post contains outdated information and links to outdated images. See the wiki and blog for development updates, up-to-date documentation and current images!See the archived post for documentation about my initial work and findingsSee this post for the Galaxy S2

Changelog of the latest version (replicant-6.0-beta-0001 from 27.1.17)¶

Added support for external WiFi dongles that use the AR9271 chipset Makes it possible to use WiFi with only free software as free firmware exists for the chip

January security updates for the kernel

Changelog of the sixth alpha release (replicant-6.0-alpha-0006 from 6.1.17)¶

Only the most relevant changes are listed.

Fixed sending of longer SMS messages

Fixed entering the SIM lock PIN Previously, if the PIN was entered incorrectly once, every subsequent try failed, even if the PIN was correct.

Reduced the camera preview resolution to speed up the preview a little bit

Moved the build system from Debian Jessie to Debian Stretch and fixed various build errors This allows to use the manifest merger tool and the Eclipse Java compiler from Debian.

Added the possibility to enable llvmpipe as software renderer by making it buildable for ARM See the Tips section below

Applied various performance improvements and fixes for graphics rendering, mostly from the Android-x86 project

Ported various security/privacy enhancements from the CopperheadOS project This includes the possibility to set an encryption password that is different from the lock screen pin/password. The phone will reboot if the PIN was entered incorrectly more than four times. Some privacy enhancements for the browser

llvmpipe has more complete EGL support than the Android software renderer, so more apps work with it, like Firefox-based browser or more recent webviews. Unfortunately, llvmpipe is still too slow to be the default renderer, but I made it possible to switch back and forth between llvmpipe and the Android software renderer. ADB and root over ADB needs to be enabled in the developer settings.

The camera "locks" sometimes or the error "Can't connect to camera" is displayed. Logs might help debugging this, at least the issue with the error message. Recent versions have a fix which allows to take a picture if the camera app seems to be unresponsive and you press the shutter button a second time.

Only the Galaxy S2 and S3 are supported. If you want to help getting other Replicant devices supported: Add the missing device repositories and try to merge the changes from CyanogenMod. If the device is not supported on the CyanogenMod 13.0 branch, you will have to look at forks that took up the development. Merging with an older branch could also be sufficient to get basic functionality working.

Newer webviews can't be used because they don't work with the software rendering Webview version 43.0.2357.134 is currently in use. It was released in July 2015. This can be fixed by making llvmpipe fast enough so it can be used as the default software renderer. Currently, the Android software renderer is the default.

There are still prebuilt binaries in the source tree I got rid of a lot of prebuilt binaries to make the build more trustworthy and to ensure that all tools are properly built from source with free software, but there are still a few left. The gcc-arm-linux-androideabi toolchain needs to be bootstrapped with proper 1st and 2nd stage compilers so it doesn't rely on the sysroot from the NDK. In general, there are still some prebuilt binaries from the NDK, SDK and other places in use, but nearly all of them shouldn't run on the host, but only on the Replicant device.

Please note that the build might even be broken on this branch and there are no git tags on this branch which pin the source code to certain versions.

Then download the source code:

repo sync

The F-Droid binary is downloaded separately. The download script will check if the signature of the F-Droid binary comes from the F-Droid release signing key. You can retrieve the current signing key with the command gpg --recv-key 7A029E54DD5DCE7A. Run the download script to get F-Droid:

./vendor/replicant/get-prebuilts

Before you can build the ROM in the regular way, you need to run a build script that takes care of building the toolchain:

./vendor/replicant/build-toolchain

In order to prevent strange errors, I recommend running the script in a newly opened shell, in which you haven't already run one of the commands like . build/envsetup.sh, lunch or make that change the environment.

Then you can run the regular build commands to create a Replicant 6.0 zip and recovery:

I also added a script that signs your build, takes care of generating the necessary keys and puts everything in the out/dist directory. Using this script, it is possible to rely on your own keys and not on the test keys which are not recommended to use because the private test keys are publicly available. Building from source and flashing the default image that is signed with the test keys basically disables all the security measures in Android that are based on signing keys. The script also makes it possible to use password-encrypted private keys. The images below are signed with my keys using this script. You can run the script the following way:

./vendor/replicant/sign-build i9300

And finally you can flash the recovery in the download mode and sideload the zip in recovery mode:

If you have already built Replicant at some point and now you are getting build errors: Run make clobber and retry in a newly opened shell.If make fails, it may be necessary that run mka org.cyanogenmod.platform-res.

Add my key to your GPG keyringYou can retrieve it from the keyserver of your choice (gpg --recv-key 5816A24C10757FC4).Alternatively, you can download it from here: https://wiedmeyer.de/keys/ww.ascand import it with gpg --armor --import path/to/5816A24C10757FC4.ascThe key should have the following fingerprint: 0F30 D1A0 2F73 F70A 6FEE 048E 5816 A24C 1075 7FC4

You need to flash the new recovery first before you can flash the zip to your device. A full wipe is also necessary. Updating your ADB installation might help if you have problems with ADB.See the wiki for more details.

Replies (135)

Wow, fantastic work Wolfgang. I've noticed the age of replicant 4.2 is causing a few problems (broken/non-compliant webview being the most obvious), so it's excellent to see someone working to liberate a more recent version, particularly for the S3, the device I use. Perhaps Paul et al will assist and release a blessed replicant version 6? Or perhaps you fork and release separately? I can only offer my encouragement, keep it up.

I forgot to update my cgit server config for the LockClock app. That part should work now. Could you try again?I hopefully also fixed the error with the missing object in the frameworks_base repo. I cannot test this right now because I am on a very slow internet connection and a full clone takes forever, but cloning the repo locally on the server works without error.

Did a bit more investigation. The server repo is not corrupted. This happens if the connection is interrupted once during a full clone and git is not able to recover from this. I also got this error when I tried it the first time and I also noticed that my connection was reset during the clone. I removed the repo with rm -rf .repo/project-objects/frameworks_base.git.git and did a repo sync frameworks/base again. Then it worked.

Do you happen to know if Cyanogenmod has the Samsung backdoor fixed in the 13 or 12 versions? They ignored it in earlier releases. It's nice that they use the free drivers from Replicant now though.

Cyanogenmod will not be able to fix the backdoor as long as they choose to use the proprietary software for communicating with the modem. This is actually a perfect example of the superiority of free software over non-free software. Samsung never acknowledged the issue so it is very unlikely that they will provide updated binary blobs. So the users of Cyanogenmod or any other Android ROM that uses these blobs will have to live with this backdoor forever on the affected devices. In contrast, Replicant provides the source code of the radio interface and it will always be possible to fix security issues as long as the issues can be fixed in software.

But Paul can elaborate on this much more as he investigated and disclosed the issue.

Cyanogenmod will not be able to fix the backdoor as long as they choose to use the proprietary software for communicating with the modem. This is actually a perfect example of the superiority of free software over non-free software. Samsung never acknowledged the issue so it is very unlikely that they will provide updated binary blobs. So the users of Cyanogenmod or any other Android ROM that uses these blobs will have to live with this backdoor forever on the affected devices. In contrast, Replicant provides the source code of the radio interface and it will always be possible to fix security issues as long as the issues can be fixed in software.

But Paul can elaborate on this much more as he investigated and disclosed the issue.

Well in that case, there are a couple things they could do. Blocking these RFS messages in the kernel is one, properly sandboxing the RIL or enforcing access rights to only allow that software to access what it needs to are other.

First of all, sorry for my late involvement and for the big post, this will become...

To be honest, I really freaked out about this news! @Wolfgang: Thanks a lot for saving me from some (more) sleepless nights about Replicant's security situation.I bought an used I9300 as fast as I could and since this has arrived, I tried to figure out some basics:

I had to spend some hours to get the build process to work on my new (Arch based) operating system, I switched to a few days before.I don't know if this works this way for Parabola, too - but I hope it's a benefit for somebody to read how a regular user (which I am) brought this to fly, exactly.

I had the 'packages_apps_LockClock.git not found' error, too. @Wolfgang: Thanks for fixing this.I also had the 'frameworks_base.git cannot obtain needed blob' error. I don't know, I tried it several times in a row, (round about seven or eight times) before I switched my VPN-connection to an European one, (as you expect, I came from an non-Eurepean country before). After that I was able to fetch everything without errors -> really strange...For the sake of completeness, I ignores the notices: 'curl: (22) The requested URL returned error: 404 Not Found' and 'Server does not provide clone.bundle; ignoring.' on fetching the sources.

If you like to modify the /system/app apps to use them after building / flashing your ROM without copying them around, just touch the two files vendor/replicant/config/common.mk and vendor/replicant/get-prebuilts. If you need an example, I made a patch for my personal use which could show what I mean. The patch is attached to this post as get-prebuilds-adding-Superuser.patch.

If you get this 'flex-2.5.39: loadlocale.c:131: _nl_intern_locale_data: Assertion `cnt < (sizeof (_nl_value_type_LC_COLLATE) / sizeof (_nl_value_type_LC_COLLATE0)) failed.' or other flex related errors:This link helped me: https://bbs.archlinux.org/viewtopic.php?pid=1560042#p1560042You could get the pre-recompiled flex binary from the link, replace it and make it executable:

chmod +x prebuilts/misc/linux-x86/flex/flex-2.5.39

But of course this isn't recommended, so I made the related patch (http://review.cyanogenmod.org/#/c/108768/) fitting for Replicant 6.0 and attached it to this post as build-allow-using-host-flex-binary.patch.So you can use the, (probably system shipped or self-built) flex version, by executing the following command before you built the Replicant sources:

export USE_HOST_LEX=yes

You can merge this patch by executing the following command inside the 'build/'-path:

git am < ../../{path to you .patch-file}

Furthermore I got this warning: '/bin/bash: prebuilts/python/linux-x86/2.7.5//bin/python: No such file or directory', so I just fetched it like this:

0002-Preserve-FRP-lock-if-wiped-during-SUW.patchEvery other patch was merged already or doesn't exist in AOSP, because it affects binary drivers for Nexus devices only.(The four patches are attached to this post).

But one patchset I can't fit into the existing sources. I can't say if Replicant 6.0 is affected to the vulnerability CVE-2015-6636, yet. Exactly, this two patches:

To indicate that the most, (probably all needed) patches from the January 2016 Bulletin are merged already, I updated the 'PLATFORM_SECURITY_PATCH'-level, made a patch from that modification and attached it to this post as: update-PLATFORM_SECURITY_PATCH-to-January-2016.patch.You can merge this patch by executing the following command inside the 'build/'-path:

I didn't need to modify or update my existing CWM-Recovery, (which was coming with Replicant 4.2) to flash Replicant 6.0.

But as I wanted to see what happens, when I try to encrypt my phone without setting a PIN/PW first, I broke my /data partition completely.I can't access, mount or format it after that - even after flashing other custom ROMs incl. several factory resets etc.So I tried to flash another Recovery by taking a prebuilt one from TWRP for the i9300 from here: https://dl.twrp.me/i9300/I installed it this way:

I realized there is a basic root "management" by setting:Settings -> Developer options -> Root access -> from Disablet to: Apps onlyBut I wanted more or less the same root management as I knew it from Replicant 4.2, because I love the benefits like PIN protection or the clearly arranged logging overview.So I did the following:

Then simply extract the boot.img from the build replicant-6.0-i9300.zip with an archiver of your choice.Copy this boot.img renamed as 'orig-boot.img' to the created folder super-bootimg/output/replicant-6.0To ensure your built su binaries are used, just copy your binaries from Superuser/Superuser/libs/armeabi/su to super-bootimg/scripts/bin/ from/to this locations:

Superuser/libs/armeabi/su -> super-bootimg/scripts/bin/su-arm

Superuser/libs/mips/su -> super-bootimg/scripts/bin/su-mips

Superuser/libs/x86/su -> super-bootimg/scripts/bin/su-x86

Finally execute:

cd super-bootimg/
sh build.sh

The resulting boot-images could be found here again: super-bootimg/output/replicant-6.0/I took the 'boot-output-replicant-6.0-su-eng-r146.img' and put this renamed to boot.img back to my replicant-6.0-i9300.zip with an archiver of your choice.The differences between the single images are listed here: http://forum.xda-developers.com/android/software-hacking/wip-selinux-capable-superuser-t3216394After flashing it (incl. factory reset afterwards) the new su binaries where set/used and I just had to install the Superuser app I built before to get the root management I wanted.

2) The lazy but NOT RECOMMENDED way - inject prebuild su binaries into the installed Replicant 6.0 system

TerminalIf you miss a pre-installed Terminal Emulator just go to Settings -> Developer Options -> and activate: Local terminalProbably this could be enough for some commands...

Live WallpapersThe LiveWallpapersPicker doesn't need proprietary EGL blobs to let you set live wallpapers. But some single live wallpapers do. So I made a list of live wallpapers which could be found on F-Droid and are working natively on Replicant 6.0 when you have the LiveWallpapersPicker installed as a system app:

Also I'm not responsible for any damage on your device or anything else. Please use it at your own risk.

But if you want get a first impression of Replicant 6.0 on your i9300 instantly, feel free to try one of the following images for testing reasons:

replicant-6.0-HOMEMADE.zipDownload link: https://www.dropbox.com/s/35uwywh27lo3b9s/replicant-6.0-i9300-HOMEMADE.zip?dl=0MD5: 7fc8ab1b063afd69483a39801b62a37bSHA256: ba5b9bdb64aabfdd7a48134b0e432781020ca52e6df05c165b21552b15e8517dSHA512: b2b0bd84deb4f21bde495d6e18aa2b9b3b2cf99482a58e93933fb4503c6479954f4f5bd06af68ef051163f5ba8add672683f5e5a66b156e71e24277189917b24This is built from the sources provided by Wolfgang Wiedmeyer. I didn't touch the sources in any way.

replicant-6.0-HOMEMADE-SuMod.zipDownload link: https://www.dropbox.com/s/2q1btd39j9pdqiv/replicant-6.0-i9300-HOMEMADE-SuMod.zip?dl=0MD5: ef509571fa34a2fcecc3bb60bf0cee17SHA256: 07935ca0e674a3cee84b1803a6fd0af2e941cf1f3a9f4b683036d028b267cd4eSHA512: ac8f45779b466bb914abb211cbcd0e6b00d1926ffcec18432e4af5a8d081fa4002f4308187c75b1dfd8b19f58183891f529a4c734820db40cc46754f1795aa0eThis is built from the sources provided by Wolfgang Wiedmeyer.

Additionally I've replaced the su-binaries (built by myself - and yes my nick could be better) in the boot-image and

added the Superuser app (built by myself) as 'prebuild' system app to get a slightly more secure root management.

Also I patched this build with the Nexus January 2016 Bulletin patches, (except the two CVE-2015-6636 patches as you can read above).

Furthermore I let the app 'LiveWallpapersPicker' exist, but removed the following system apps (mostly EGL needing- and so crashing live wallpapers) instead:

Building the su binaries[...] The resulting su binaries could be found here Superuser/Superuser/libs/armeabi/su

Building the Superuser app[...] Then I downloaded the Android SDK from here: https://developer.android.com/sdk/index.html#Other[...] Here you should install SDK Platform for API 22 and the Build-tools for 22.0.1, and don't forget to deselect the unneeded preselected packages.[...] The resulting app could be found here Superuser/Superuser/Superuser/build/outputs/apk/Superuser-debug.apk

excellent work, good to see the build steps and patches listed here.

as a side note, has anyone made an attempt to release a free SDK/NDK? or is Google's pre-built option the only choice at the moment?

The new CM recovery bootloader can't install ZIP's from sdcard? I'm using the replicant 4.2 recovery

I've seen a weird graphics bug a couple of times when after rotating the screen, some horizontal lines are not completely horizontal but have a one-pixel split somewhere on the screen. I can't reproduce it.

Overall, I don't see any significant reason why I couldn't use this daily. I would like to understand the freedom/privacy/security situation a bit better first though -- is it running replicant's RIL? Why is graphics so fast, is there no non-free acceleration happening?

The "replicant-6.0-HOMEMADE-SuMod" works so far pretty good on my S3. But I got a problem: When (re-)booting my phone, it doesn't ask me for my pin. In addition to that the OS doesn't recognize my SIM card. It always shows that no SIM is connected. But other ROMs works perfect.Just Replicant has this problem.

EncryptionSimply doesn't work for me :'(After clicking on [ENCRYPT PHONE] the device reboots and shows the typical 'unlock-encrypted-partition'-Android-Symbol, after that the boot screen, but then, (after a few seconds) I'll be thrown back to the lock screen,

without encrypting anything

without any errors or other messages,

tested with PIN, password and finally without PIN or password again.Found nothing for that, yet.

Settings -> Sound -> Other soundsCrashes casually if you switch back to the Sound menu, (if you have modified settings inside of it, or not). Log created:

Many thanks for testing this and sharing your experiences!I will soon address everything you all reported back in more detail. For now the following things:

Please just use the recovery image that gets build with the ROM. It's in the out/target/product/i9300/ directory. Flash this first and then the zip.If this doesn't help and there are still problems with the SIM card: Is the SIM card pin-protected? If yes, could you temporarily remove the protection on a different device and test it again? I will need a logcat in any case if the SIM doesn't get recognized (adb logcat -b all).

Also I encourage everyone to contribute. If you have some patches, just attach them like My Self did it and I will go through them.

Settings -> Status Bar should be fixed with the changes I pushed today.

and installed a nightly build of CM13 after that for testing reasons.My PIN would be asked and I got a mobile data connection instantly. So I switched to the recovery again and flashed the unmodified Replicant 6.0 image, followed by a factory reset. After booting into this, my PIN won't be asked and the systems said again: "No SIM card".

If this doesn't help and there are still problems with the SIM card: Is the SIM card pin-protected? If yes, could you temporarily remove the protection on a different device and test it again? I will need a logcat in any case if the SIM doesn't get recognized (adb logcat -b all).

Nope, it was/is not PIN protected. I'll try to make a log ASAP...

Settings -> Status Bar should be fixed with the changes I pushed today.

Thanks for looking into this. (I saw that this menu-point is working in the tested CM13 nightly build (cm-13.0-20160104-NIGHTLY-i9300) some minutes ago, too).By the way:

the Settings -> Sound -> Other sounds menu-point crashes, and

the USB-connection shows the same behavior, and need the MTP <> PTP workaround before anything is working on CM13, too.

And finally, after all this, the encryption still doesn't work and shows the same behavior as described before, (after setting a lock screen PIN).I'll try that on the CM13 build ASAP...

@all of you: thanks a lot for all your great work and/or any other support!

Wrt USB: For me, the device is on the "Charge only" mode until I switch it to MTP manually every time I connect the cable, and then everything works. Chosing MTP under DeveloperSettings>USBConnection does not change that it comes up in "Charge only" mode on next cable connection. I have not needed to switch to PTP and then back to MTP to get anything to work. It seems the DeveloperSetting>USBConnection setting isn't "sticky".

Re SIM: I didn't try a SIM card in the device until now. I do get a PIN query on boot, however my SIM card is not PIN-protected so I did not know what to type. It says "No SIM card" after I cancel the PIN query dialoge. So no success with SIM activities from me either (which qualifies as a show-stopper for me to start to use it daily... nothing else found so far does).

I can confirm the Setting->Sound->Other sound crash (not always, but usually).

Building worked fine after installing 'swig', and resolved the build failure in frameworks/base/. I've now flashed recovery.img from replicant-6.0. I'm using Apply Update => Choose from sdcard1 and then Wipe data/factory reset.

So I researched a bit. It seems, that I have to install the package 'lib32-python2' from AUR. The final problem is, that I can't build one dependency from that package, which is 'lib32-tk'. It breaks with:

[...]
Makefile:585: recipe for target 'libtk8.6.so' failed
[...]

I've tried several ways to get this to work, but I'm giving up now. Of course this is not a Replicant related problem. But I would share this experience anyway.

Does somebody else using an Arch (x64) based build environment and got the current Replicant 6.0 build process to work?